Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Where do I go from here

from [Timothy A. Holmes] Network Security [Permanent Link]
Subject: [Snort-users] Where do I go from here
Date: Tue, 15 Nov 2005 14:15:49 -0500 
Hi Folks:

After some fits and starts, I believe that I have a functional IDS Box
watching the front door now, and I took out the back door (Wireless ap)
and repaired the hole in the wall with bricks and mortar

 

So, I guess the next question is what is the next step?



To summarize, I have a SNORT box up and sniffing on the inbound line
between the Cable Modem and the Firewall.  The management port is inside
the firewall and has an IP on it while the sniffing port is outside the
firewall and does not have one.  

 

I am logging to a mysql database, and running base for reporting.

 

As of the last check, I have received about 4500 alerts today, here is
the breakdown from base on them

 

Displaying alerts 1-7 of 7 total







   

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a

 Signature >

<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d

 


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_a>  Classification >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_a>  Total # >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_d>  

 Sensor # 

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_a>  Source Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_a>  Dest. Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_a>  First >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
a>  Last >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
d>  

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP
Portsweep 

unclassified 

55
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=1&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=1>  

31
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=1>  

2005-11-15 03:06:05 

2005-11-15 13:12:23 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port 

unclassified 

3679
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=2&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=2>  

302
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=2>  

2005-11-15 03:06:08 

2005-11-15 13:12:28 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect)
BARE BYTE UNICODE ENCODING 

unclassified 

444
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=3&sig_type=1>  

2
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=3>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=3>  

2005-11-15 00:37:16 

2005-11-15 14:12:38 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect)
DOUBLE DECODING ATTACK 

unclassified 

21
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=4&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=4>  

9
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=4>  

2005-11-15 07:16:16 

2005-11-15 12:38:53 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY 

unclassified 

6
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=6&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=6>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=6>  

2005-11-15 10:43:42 

2005-11-15 11:46:43 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP
Portscan 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=9&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=9>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=9>  

2005-11-15 10:36:26 

2005-11-15 10:36:42 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect)
OVERSIZE CHUNK ENCODING 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=13&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=13>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=13>  

2005-11-15 11:45:36 

2005-11-15 11:46:40 

 

 

 

I guess I need to know what to do next and how to begin utilizing this
data to better protect my network

 

Anyone who can help, or point me to the proper resources would be
greatly appreciated

 

TIM



 

Timothy A. Holmes

IT Manager / Network Admin / Web Master / Computer Teacher

 

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] No clue?, Matt Kettler
Next by Date:  RE: [Snort-users] No clue?, John Friedman
Previous by Thread:  [Snort-users] modularising snort, cynthia
Next by Thread:  RE: [Snort-users] Where do I go from here, Briggs, Bruce
Indexes:  [Date] [Thread] [Top] [All Lists]